Product: Huntress EDR, Microsoft 365
Environment: Windows, macOS
Summary: The Huntress Incident Simulation tool helps you experience the incident workflow before anything happens in your environment.
The primary goal of this feature is to showcase how Huntress handles a critical incident.
- See how Huntress secures the affected endpoint or identity during an incident.
- Receive an incident report summarizing the incident and listing remediations to approve.
- Evaluate your response protocols and tool workflow realistically without taking any risks.
The Huntress platform only allows account administrators, security engineers, and select Huntress support roles to trigger simulated incidents.
- Log in to Huntress and go to Simulate an Incident.
- Select the product type you want to simulate, EDR or Microsoft 365.
- Select one of your organizations.
- Select an endpoint that can be isolated or an identity that can be disabled.
Preferably an endpoint or identity that is ok to use for testing and won't affect business-critical functions.
Within seconds of the incident being triggered, the endpoint you select WILL be isolated or, for a Microsoft 365 identity, the user sessions will be revoked and the identity will be disabled.
To release the endpoint or re-enable the identity, you'll need to approve the Remediation Plan, as described in Step 8. - Select Trigger Incident.
-
Confirm that you want to trigger the incident in the modal that appears, and you'll see the following banner to show you that the incident went through and the host was isolated.
Your last 10 simulated incidents appear at the bottom of the Simulated Incidents page for reference: - Click View to open your Incident Report.
When this incident report is triggered, you will receive notifications however you've configured them, including by SMS or phone. Incident Notifications - SMS Texts & Calls
-
The Incident Report Huntress creates for your simulated incident will be marked Simulated in both the Severity field and above the body of the Incident Report text. Otherwise, it will contain the same information as a real malware Incident Report: metadata, actions taken, an overview of what was found, and remediation steps.
An identity-based Incident Report is very similar but simulates a Session Token Theft. - Review and Approve your Remediation Plan.
There will not be assisted remediations for these reports, but you can and should review and approve the remediation plan to resolve the incident.
When you approve the Remediation Plan, it will resolve the Incident, and the endpoint will be scheduled for release. In the case of identities, the identity will be re-enabled.
Comments
0 comments
Please sign in to leave a comment.